The present invention relates generally to computer networking techniques. More particularly, the invention provides methods and systems for intrusion (attack) detection for local area networks with wireless extensions. The present intrusion detection can be applied to many computer networking environments, e.g. environments based upon the IEEE 802.11 family of standards (WiFi), Ultra Wide Band (UWB), IEEE 802.16 (WiMAX), Bluetooth, and others. It will be appreciated that applications extend to other computer networking techniques.
Computer systems have proliferated from academic and specialized science applications to day-to-day business, commerce, information distribution and home applications. Such systems can include personal computers (PCs) to large mainframe and server class computers. Powerful mainframe and server class computers run specialized applications for banks, small and large companies, e-commerce vendors, and governments. Personal computers can be found in many offices, homes, and even local coffee shops.
The computer systems located within a specific local geographic area (e.g., an office, building floor, building, home, or any other defined geographic region (indoor and/or outdoor)) are typically interconnected using a Local Area Network (LAN) (e.g. the Ethernet). The LANs, in turn, can be interconnected with each other using a Wide Area Network (WAN)(e.g., the Internet). A conventional LAN can be deployed using an Ethernet-based infrastructure comprising cables, hubs switches, and other elements.
Connection ports (e.g., Ethernet ports) can be used to couple multiple computer systems to the LAN. For example, a user can connect to the LAN by physically attaching a computing device (e.g., a laptop, desktop, or handheld computer) to one of the connection ports using physical wires or cables. Other types of computer systems, such as database computers, server computers, routers, and Internet gateways, can be connected to the LAN in a similar manner. Once physically connected to the LAN, a variety of services can be accessed (e.g., file transfer, remote login, email, WWW, database access, and voice over IP).
Using recent (and increasingly popular) wireless technologies, users can now be wirelessly connected to the computer network. Thus, wireless communication can provide wireless access to a LAN in the office, home, public hot-spot, and other geographical locations. The IEEE 802.11 family of standards (WiFi) is a common standard for such wireless communication. In WiFi, the 802.11b standard provides for wireless connectivity at speeds up to 11 Mbps in the 2.4 GHz radio frequency spectrum; the 802.11g standard provides for even faster connectivity at about 54 Mbps in the 2.4 GHz radio frequency spectrum; and the 802.11a standard provides for wireless connectivity at speeds up to 54 Mbps in the 5 GHz radio frequency spectrum. The standards such as 802.11n provide even higher connectivity speeds.
Advantageously, WiFi can facilitate a quick and effective way of providing a wireless extension to an existing LAN. To provide this wireless extension, one or more WiFi access points (APs) can connect to the connection ports either directly or through intermediate equipment, such as WiFi switch. After an AP is connected to a connection port, a user can access the LAN using a device (called a station) equipped with WiFi radio. The station can wirelessly communicate with the AP.
The application of wireless communication to computer networking can introduce additional security exposure. Specifically, the radio waves that are integral to wireless communication often cannot be contained inside or outside the physical space bounded by physical structures, such as the walls of a building. Because of this signal penetration, unauthorized users, who could be using their wireless devices in a nearby street, parking lot, or building, could launch security attacks on the wireless networks. Moreover, several weak points in the IEEE 802.11 MAC standards have been recently discovered which make such wireless networks easy target for denial of service (DOS) attacks. See for example, a paper by Bellardo and Savage entitled, “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” published in the 12th USENIX Security Symposium in August 2003, for discussion on deauthentication, disassociation and virtual carrier sense DOS attacks. Other types of DOS attacks such as authentication flood, association flood and EAPOL START flood can also be launched on the 802.11 wireless networks. In the DOS attack, an attacker sitting in street, parking lot, or neighboring premises can bring down the wireless network of an organization. This can cause significant loss of productivity.
Conventional techniques can be used for detecting such attacks with varying degrees of success. For example, certain principles of conventional threshold crossing/flooding/anomaly detection can be applied to this problem in a naïve manner. Certain examples of threshold crossing/flooding/anomaly detection techniques can be found in U.S. Pat. No. 6,321,338 to Porras et al. entitled “Network surveillance.” However such naïve application is rife with problems such as false alarms, impracticality of threshold tuning and others as described throughout the present specification and more particularly below.
From the above, techniques for improving security in wireless networks, and in particular the ability to accurately detect security attacks without causing false alarms, are highly desired.